ADVANCED

AUDIT OF FINANCIAL STATEMENT 3

• CHAPTER 1: INTRODUCTION TO INTERNAL AUDITING

• CHAPTER 2: INTERNAL AUDIT EVIDENCE AND WORKING PAPERS
• CHAPTER 3: INTERNAL AUDIT ENGAGEMENT PROCESS
• CHAPTER 4: INTERNAL AUDIT ENGAGEMENT (CONTINUED)
• CHAPTER 5: FRAUD, FRAUD RISK ASSESSMENT AND DATA ANALYSIS
 GENERAL INFORMATION OF THE COURSE

1.1. Course title: Advanced Audit of Financial Statement 3

1.2. Course code: AUD0076
1.3. Number of credits: 2 credits Total credit hours: 33 (including: 03 revision credit hours)
1.4. Course learning outcomes
1.5. Methods of studying and learning
1.6. Course assessment
1.7. Materials for references
1.8. Lecture’s Information
(Attached including Slides; Course guidelines)
 MATERIAL REFERENCES

1. “Advanced audit of financial statement 3”, Original Lecture, Academy of Finance, 2022.
2. Review Questions.
3. https://na.theiia.org/Pages/IIAHome.aspx
4. The International Professional Practices Framework (IPPF) and its elements.
5. Sách chuyên khảo: “Kiểm toán nội bộ theo định hướng rủi ro – Nghiên cứu tình huống
các doanh nghiệp Việt Nam”; TS.Vũ Thùy Linh, NXB Tài chính, Học viện Tài chính,
2024.
 CHAPTER 1:
INTRODUCTION TO
INTERNAL AUDITING

LEARNING OBJECTIVES
CONTENT
1.1. NATURE OF INTERNAL AUDITING
1.2. OVERVIEW OF INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK (IPPF)
1.3. GOVERNANCE
1.4. RISK MANAGEMENT
1.5. INTERNAL CONTROL
1.6. MANAGING INTERNAL AUDIT FUNCTION
REVIEW QUESTIONS
CHAPTER LEARNING OUTCOMES

1. Define the Internal Auditing and its elements in the definition.

2. Understand the value proposition that stakeholders expect from the internal audit function.

3. Describe the structure of the International Professional Practices Framework (IPPF) and the categories
of authoritative guidance it provides.

4. Describe the role of the internal audit function in the governance process. (Standard 2100 – Nature
Work; Standard 2110 – Governance).

5. Describe the role of the internal audit function in the risk management process. (Standard 2100 – Nature
Work; Standard 2120 –Risk Management).

6. Examine the effectiveness and efficiency of internal control (Standard 2100 – Nature Work; Standard
2130 – Control).
INTERNAL AUDITING DEVELOPMENT
 1.1. NATURE OF INTERNAL AUDITING
DEFINITION AND ITS ELEMENTS

Internal auditing is an independent, objective assurance and consulting

activity designed to add value and improve an organization’s operations. It
helps an organization accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes (IIA Definition).
(1) Helping the organization accomplish its objectives

• Strategic objectives are those goals that management sets specifically related to stakeholder
interests. The term objectives will be used when discussing what an organization wants to
achieve and the term strategy when discussing the way management intends to achieve those
objectives.

(i) Operations objectives pertain to the effectiveness and efficiency of the entity’s operations,
including operational and financial performance goals, and safeguarding resources against loss.

(ii) Reporting objectives pertain to internal and external financial and nonfinancial reporting
and may encompass reliability, timeliness, transparency, or other terms as set forth by
regulators, standard setters, or the entity’s policies.

(iii) Compliance objectives pertain to adherence to laws and regulations to which the entity is
subject.
• (2) Evaluating and improving the effectiveness of risk management, control, and governance
processes.

• (3) Assurance and consulting activity designed to add value and improve operations.
(4) Independence and objectivity

Internal auditor:

Standard 1200 – Proficiency and Due Professional Care

Standard 1210 - Internal auditors must possess the knowledge, skills, and other competencies needed to
perform their individual responsibilities. The internal audit activity collectively must possess or obtain the
knowledge, skills, and other competencies needed to perform its responsibilities.

Standard 1220 – Due Professional Care

Internal auditors must apply the care and skill expected of a reasonably prudent and competent internal
auditor. Due professional care does not imply infallibility.

Standard 1230 – Continuing Professional Development

Internal auditors must enhance their knowledge, skills, and other competencies through continuing
professional development.
Global internal audit competency framework structure.
Three pillars for effective Internal Audit Services
• S1110 – Organizational Independence The chief audit executive must report to a level
within the organization that allows the internal audit activity to fulfill its responsibilities. The chief
audit executive must confirm to the board, at least annually, the organizational independence of
the internal audit activity. Interpretation: Organizational independence is effectively achieved when
the chief audit executive reports functionally to the board.
• Examples of functional reporting to the board involve the board: Approving the internal
audit charter. Approving the risk-based internal audit plan. Approving the internal audit
budget and resource plan. Receiving communications from the chief audit executive on the
internal audit activity’s performance relative to its plan and other matters. Approving decisions
regarding the appointment and removal of the chief audit executive. Approving the
remuneration of the chief audit executive. Making appropriate inquiries of management and the
chief audit executive to determine whether there are inappropriate scope or resource limitations.
• Administrative reporting concerns the day-to-day operations of the IA activities (between IA
and management (CEO).
• S1130 – Impairment to Independence or Objectivity
Impairment to organizational independence and individual objectivity may include, but is not limited
to, personal conflict of interest, scope limitations, restrictions on access to records, personnel, and
properties, and resource limitations, such as funding.
Internal auditors must refrain from assessing specific operations for which they were previously responsible.
Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for
which the internal auditor had responsibility within the previous year.
The internal audit activity may provide assurance services where it had previously performed consulting
services, provided the nature of the consulting did not impair objectivity and provided individual objectivity is
managed when assigning resources to the engagement.
- Internal auditor may provide consulting services relating to operations for which they had
previous responsibilities. In this case, the CAE confirms that the board understands and approves
the concept of providing consulting services before offering consulting services.
- Independence and objectivity may be impaired if assurance services are provided within 1 year
after a formal consulting engagement. Steps can be taken to minimize the effects of impairment by
1. Assigning different auditors to perform each of the services,
2. Establishing independence management and supervision,
3. Defining separate accountability for the result of the project, and
4. Disclosing the presumed impairment.
INTERNAL AUDITORS

• Have variety of skills, educational backgrounds, and expertise.

• Use their broad knowledge of the business to help
management achieve its business objectives and assist the
governing body in fulfilling its oversight responsibility.
• Are catalysts, risk and control experts, efficiency specialists, and
problem-solvers.
VALUE PROPOSITION OF INTERNAL AUDITING
FOR KEY STAKEHOLDERS
• Internal Auditing: Assurance Insight Objectivity

Governing bodies and senior management rely on Internal Auditing for

objective assurance and insight on the effectiveness and efficiency of
governance, risk management and internal control processes.
INTERNAL AUDITING PROVIDES

• Assurance that the organization is operating as

management intends.
• Insight for improving controls, processes, procedures,
performance, and risk management; and for reducing
expenses, enhancing revenues, and improving profits.
• Objective assessments of operations.
GOVERNANCE, RISK, CONTROL

• Internal Auditing, as one of the four cornerstones of corporate governance (along with
the governing body, executive management, and external auditing) helps organization
focus on strong controls, accurate reporting, effective oversight, mitigation of risks, and
protection of investments.
• Assists management and governing bodies in identifying risks.
• Provides insight on effectiveness of controls and compliance with procedures and
regulations, and recommends improvements.
INSIGHT:
CATALYST, ANALYSES, ASSESSMENTS

Internal Auditing is a catalyst for improving an organization’s

effectiveness and efficiency by providing insight and recommendations
based on analyses and assessments of data and business processes.
CATALYST, ANALYSES, ASSESSMENTS

• As catalyst for improvement, evaluates processes, reports findings and

recommends appropriate courses of action; and advises on key projects/initiatives.
• Through analyses of data and information, provides insight into process improvements.
• Through understanding of the business and its objectives, assesses the efficiency and
effectiveness of operations and protection of assets.
OBJECTIVITY:
INTEGRITY, ACCOUNTABILITY, INDEPENDENCE

• With commitment to integrity and accountability, Internal

Auditing provides value to governing bodies and senior
management as an independent source of objective advice.
INTEGRITY, ACCOUNTABILITY, INDEPENDENCE

• Grounded in professionalism and integrity through professional

Standards and Code of Ethics.
• Accountable in helping management and governing bodies achieve
their objectives.
• To ensure independence, CAE should report to independent
governing body for functional direction; and to management for
administrative oversight. Maintains objectivity by not assuming any
operational responsibilities.
1.2 OVERVIEW OF INTERNATIONAL
PROFESSIONAL PRACTICES FRAMEWORK
1. Mission of Internal Audit
2. Mandatory Guidance
• Core Principles for the Professional Practice of
Internal Auditing​

• Definition of Internal Auditing

• Code of Ethics

• International Standards for the Professional Practice

of Internal Auditing (Standards)

3. Recommend Guidance

Implementation Guidance

Supplemental Guidance
 1.3. GOVERNANCE (PS 2110: GOVERNANCE)

1.3.1 Governance concept

1.3.2. Governance process and roles
1.3.3. Role’s internal audit in governance process
1.3.1. GOVERNANCE CONCEPT

• According to IPPF, governance is defined as the combination of processes and structures

implemented by the board to inform, direct, manage, and monitor the activities of the organization
toward the achievement of its objectives.
• Corporate governance can be influenced by the internal and external mechanisms.
+ The internal mechanisms include corporate charters and bylaws, boards of directors, and internal
audit functions.
+ The external mechanisms include laws, regulations and the government regulators who enforce
them.
 1.3.2. GOVERNANCE
PROCESS AND ROLES IN
THE ENTITY

The board and management are

responsible for the design and
implementation of governance
processes.
The IA activity must assess and
make recommendations to
improve the organization’s
governance processes.
KEY ELEMENTS OF A GOVERNANCE STRUCTURE
Governance has two major components:

- Strategic direction: determines (i) the business model,

(ii) overall objectives, (iii) the approach to risk
taking, and (iv) the limit of organization conduct.

- Oversight includes (i) risk management activities

performed by senior management and risk owners
and (ii) internal and external assurance activities.
KEY COMPONENTS OF GOVERNANCE OVERSIGHT
 1.3.2. GOVERNANCE PROCESS AND ROLES
a. The board is defined by the IIA as the highest-level governing body (e.g., a board of directors, a supervisory board,
or a board of governors or trustees) charged with the responsibility to direct and/or oversee the organization’s
activities and hold the senior management accountable. A board may refer to a committee (e.g., audit committee).
It also has the ultimate responsibilities for oversight.

b. Management performs day to day governance functions. Senior management carries out/ execute the board
directives to achieve objectives. Senior management determines who is the risk owner and how specific risks will
be managed. Senior management can best execute its governance responsibilities by:

- Establishing a risk committee, for example a chief risk officer (CRO).

- Articulating reporting requirements.

c. The internal audit activity is responsible for assessing and improving governance processes (see more Performance
Standard 2110 – Governance).
 1.3.3. ROLE’S INTERNAL AUDIT IN GOVERNANCE

1. The internal audit activity is responsible for assessing and improving governance
processes (see more Performance Standard 2110 – Governance).
2. The CAE should plan the audit based on an assessment of risks that considers
governance processes and related control and communicates with BOD and SM
through consulting services.
EFFECTIVE GOVERNANCE

Board of Directors

External Audit
Internal Audit

Management
QUESTIONS

1. In governance, what are the key responsibilities of:

a. The board of directors?
b. Senior management?
c. Risk owners?
2. What role does the internal audit function play in governance?
THE THREE LINES MODEL
1.4. RISK MANAGEMENT

1.4.1. Fundamental concepts of risk management process

1.4.2. Globally accepted risk management framework to the organization
1.4.3. Internal audit’s role in enterprise risk management
 1.4.1. FUNDAMENTAL CONCEPTS OF RISK
MANAGEMENT PROCESS

- Risk management is a process to identify, assess, manage, and control potential events
or situations to provide the reasonable assurance regarding the achievement of the
organization’s objectives (The IIA Glossary).

- PS 2120 – Risk management (IA’s role in risk management)

- The risk management process include (1) identification of context; (2) risk
identification; (3) risk assessment and prioritization; (4) risk response; (5) risk
monitoring.
1.4.2. GLOBALLY ACCEPTED RISK MANAGEMENT
FRAMEWORK TO THE ORGANIZATION
 THE COSO II ERM FRAMEWORK
Page 56

The framework provides:

• A definition of enterprise risk management
• The critical principles and components of an effective
enterprise risk management process
• Direction for organizations to use in determining how to
enhance their risk management
• Criteria to determine whether their risk management is
effective, and if not, what is needed
• Illustrations of how critical principles may look within an
organization
• An overview of an implementation process
• Illustrations that consider varying entity:
• Size
• Strategy
• Industry
• Complexity
Page 57 EXAMPLE OF A RISK MANAGEMENT PROCESS

2.
2 Prioritisation
11. Risk identification  Assess impact of risks
 Assess business (quantitative and qualitative)
environment  Assess likelihood
 Review strategic  Assess time horizon (near term
objectives 2 v. long term)
 Identify related key risks
across entire business Aligning risks,
1 responses and
reporting as part 3 3. Response assessment
3
of business  Review current approach to
planning mitigating risk, and rate its
adequacy, e.g.
4  requires significant action
44. Reporting  requires some action
 Summarise in risk report  well controlled
 Discuss with Group  Plan improvement actions
Page 58 INTERNAL AUDIT SERVICES MANUAL
A model internal audit methodology is depicted in the framework below:

Stage I:
Pre-Engagement Stage II: Stage III: Quality
Engagement
Activities Project Activities Assurance
planning

Section 4: Client Communication

Planning and Scoping

Risk assessment
Range of Services Working Practices
and Audit Plan
Execution

Reporting

Risk Management
Wrap Up

Follow Up
Page 59

Risk assessment

Probability (Likelihood)
• History of incidents,
culture, supervision
Strength of structures, etc
control • Last audit results
environment • Management views &
concerns

• Internally - processes and

Change people / management
• Externally - regulatory Impact
requirements

Materiality
Complexity of
Operations

• Budget/actual $ value / Transaction volumes processed

• Extent area impacts on achievement of business objectives
• Regulatory compliance / reputation impact
 Risk based planning – Inherent and Residual
Page 60

Probability Internal Audit focus

Inherent Risk
High
Residual risk

Desired risk

Audit Universe
+
Risk Assessment Impact
+
Risk Appetite
Low High
=
Audit Plan
Risk Management /
Management’s focus
Page 61 HEAT MAP
Impact

Action:

Red Flag: Immediate

action required

Red Flag: Action required

Programmed Action

Monitor

Probability
 1.4.3. THE INTERNAL AUDIT’S ROLE IN
ENTERPRISE RISK MANAGEMENT
1. The board have an oversight function that risk management processes are in place, adequate,
and effective.

2. Management ensures that sound risk management processes are functioning.

3. The internal audit activity may be directed to examine, evaluate, report, or recommend
improvements the effectiveness of enterprise risk management.

4. Independent outside auditors: Findings from their financial statement audits may relate to risk
management deficiencies, analytical information, and other recommendations for improvement
that can provide management with valuable information to enhance its risk management program
related to financial reporting risks.
Questions
1.What are typical ERM responsibilities of: a. The board of directors? b. Management?
c. The internal audit function? d. The independent outside auditors?
2. What are some ERM assurance activities the internal audit function may perform? What are
some ERM consulting activities the internal audit function may perform if appropriate safeguards
are implemented? What ERM activities should the internal audit function not perform?
 1.5. INTERNAL CONTROL
(STANDARD 2100 - NATURE OF WORK
STANDARD 2130 – CONTROL)
Globally accepted Internal control Frameworks and ERM Frameworks:
1. Internal Control – Integrated Framework (COSO), Committee of Sponsoring Organizations of the
Treadway Commission, United States, 2013
2. Guidance on Risk Management, Internal Control and Related Financial and Business Reporting (FRC
Internal Control Guidance), Financial Reporting Council (FRC), England, 2014.

3. COBIT 5, IT Governance Institute, United States, 2012 (COBIT – A framework for IT

Governance and Management)
4. Enterprise Risk Management Frameworks Enterprise Risk Management – Aligning Risk with Strategy and
Performance, Committee of Sponsoring Organizations of the Treadway Commission, United States, 2016
5. Risk Management – Principles and Guidelines (ISO 31000) of International Organisations for
Standardisation (ISO), Switzerland, 2009
1.5.1. INTERNAL AUDIT’S ROLE IN CONTROL

• Definition
• Objectives and Principles
• Components

• IA’s roles in control (see more PS 2130 – Control)

 1.5.2. TYPES OF CONTROLS

Control types can be classified in a number of ways:

1. Controls are designed to operate at a high, overarching level, or specific processes such as Entity-level
Controls, Process-Level Controls, Transaction-Level Controls.
2. Controls are classified based on their importance such as Key controls, Secondary Controls.
3. Some controls are used based on their functions such as Preventive Controls, Detective Controls,
Corrective Controls, Directive Controls, Mitigating controls, Compensating controls and
Redundant Controls.
4. Some IT Controls include IT general controls and Application controls (Input controls, Processing
Controls, Output Controls).
Types of controls: Discussion and give examples.
1.6. MANAGING INTERNAL AUDIT FUNCTION

• 1.6.1. Internal audit competency

• 1.6.2. Organization the internal audit model
 1.6.1. INTERNAL AUDIT COMPETENCY

• Standard 1210 and 1220 require internal auditor must possess the knowledge, skills, and
other competencies needed to perform their individual responsibilities.
Global internal audit competency framework structure.
Three pillars for effective Internal Audit Services
1.6.2. ORGANIZATION THE INTERNAL AUDIT MODEL

1. In-house
1.6.2. ORGANIZATION THE INTERNAL AUDIT MODEL

• 2. Co – sourced
1.6.2. ORGANIZATION THE INTERNAL AUDIT MODEL

• 3. Outsourced
 DISCUSSIONS
Visit The IIA’s website (www.theiia.org). Locate, read, and prepare to discuss the following items:

1. How do internal and external auditors differ and how should they relate?

2. How does internal audit maintain its independence and objectivity?

3. Is it mandatory to have an internal audit activity?

4. What are the critical skills and attributes of a CAE?

5. What are the skillsets and staffing needs of an internal audit activity?

6. What is internal audit’s role in preventing, detecting, and investigating fraud?

7. What services can the internal auditors provide for the audit committee?

8. What should be the reporting lines for the CAE?

9. What standards guide the work of internal audit professionals?

10. Why should an organization have an audit committee?

REVIEW QUESTIONS